Customizing and securing the route to the platform

Cloud Pak for Data exposes one HTTPS port as the primary access point for the web client and API requests. On Red Hat® OpenShift® Container Platform, the port is exposed as an OpenShift route.

Default route characteristics

The default route, named cpd, has the following characteristics:

The default route is a re-encrypt route.
This means that encrypted traffic is re-encrypted by OpenShift before it is sent to Cloud Pak for Data.
The default route uses a self-signed TLS certificate to enable HTTPS connections.
This certificate is untrusted by all HTTPS clients. It is strongly recommended that you replace the self-signed certificate with your own certificate.

Important: If you do not replace the self-signed certificate with your own certificate, the user's browser does not cache the user interface, which can adversely impact performance.

By default, the route to the platform has the following structure:

https://cpd-namespace.apps.OCP-default-domain

Options for customizing the route

You can use the

cpd-cli
manage
setup-route

command to:

Replace the default self-signed certificates with a custom TLS certificate
Customize the route by:
- Changing the hostname of the default route
- Changing the default route from a re-encrypt route to a passthrough route

Security requirements for each route type

Cloud Pak for Data supports several types of routes. The type of route that you use determines the requirements for the route:

Route type	Default certificate	Custom TLS certificate and key	CA certificate
Passthrough	By default, the route uses an IBM self-signed certificate. However, it is recommended that you replace this certificate with a custom certificate.	Supported. If you use a passthrough route, this option is strongly recommended. The files must be in an unencrypted PEM format.	Not used.
Re-encrypt (default)	By default, the route uses the default certificate that is provided by the Red Hat OpenShift Container Platform ingress controller. However, it is recommended that you replace this certificate with a custom certificate. For details, see Replacing the default ingress certificate in the Red Hat OpenShift Container Platform documentation. Version 4.12 Version 4.14 Version 4.15 Version 4.16	Uses the ingress controller settings by default. If you want to use custom certificates, you must specify: TLS certificate TLS key CA certificate The files must be in an unencrypted PEM format.	Uses the ingress controller settings by default. If you want to use custom certificates, you must specify: TLS certificate TLS key CA certificate The files must be in an unencrypted PEM format.

Route type

Default certificate

Custom TLS certificate and key

CA certificate

Passthrough

By default, the route uses an IBM self-signed certificate.

However, it is recommended that you replace this certificate with a custom certificate.

Supported.

If you use a passthrough route, this option is strongly recommended.

The files must be in an unencrypted PEM format.

Not used.

Re-encrypt (default)

By default, the route uses the default certificate that is provided by the Red Hat OpenShift Container Platform ingress controller.

However, it is recommended that you replace this certificate with a custom certificate. For details, see Replacing the default ingress certificate in the Red Hat OpenShift Container Platform documentation.

Uses the ingress controller settings by default.

If you want to use custom certificates, you must specify:

TLS certificate
TLS key
CA certificate

The files must be in an unencrypted PEM format.

Uses the ingress controller settings by default.

If you want to use custom certificates, you must specify:

TLS certificate
TLS key
CA certificate

The files must be in an unencrypted PEM format.

Complete the appropriate tasks for your environment: